Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
Resource
win10v2004-20220812-en
General
-
Target
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe
-
Size
657KB
-
MD5
6c637e608d50c0d82981dbae7b480160
-
SHA1
a841e1e77ae14f8b56681c535b52708fe44027df
-
SHA256
1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938
-
SHA512
632b28b6f21430094fe26f0ffbbc4820a3844c6fe035a494824673058cc797c14a590b3ee710c23ed0013339efefc5eef035a5e95e8fa988ef88ea86c0d545fd
-
SSDEEP
12288:OHqoKu9k/JCZHzT2JUnPxvjwsJhXMTos:Ovaf0P6srMr
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe 1136 perfmon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1136 perfmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1136 perfmon.exe Token: SeSystemProfilePrivilege 1136 perfmon.exe Token: SeCreateGlobalPrivilege 1136 perfmon.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4236 wrote to memory of 1136 4236 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe 82 PID 4236 wrote to memory of 1136 4236 1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe"C:\Users\Admin\AppData\Local\Temp\1fc6d2f1a0240a709ea6b37a9721d0b03c07a99efd3eaa5e1832fc51dcd95938.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1136
-